Black Hat 10: How PayPal Minimizes GRC Risks

Alex Hutton, Principal in Research & Risk Intelligence with Verizon Business, says implementing a GRC program without any measurement is governance and compliance via superstition. Learn why risk management without metrics will hamper your enterprise's governance, risk and compliance efforts.

Organizations typically pursue the implementation of a Governance, Risk, and Compliance (GRC) program through a circular series of activities:

Embracing standards and defining policies

Running tests and validations against those policies

Uncovering and classifying 'issues,' prioritizing and fixing some of those issues based on risk/impact guesses

Doing it all again in hopes that the state of compliance and risk level stayed at least as good as it was the last time around

This method produces results demonstrating a point-in-time state, but it does little to measure the real risk to the business. If the organization is mature in its implementation, executives may be able to roll some of their findings into the next iteration in order to improve results. If the firm is really on top of its game, executives may be able to analyze multiple iterations to identify trends or patterns, which can be used to further adjust future program activities.Even with relevant trends and patterns emerging, however, those results are based on limited, isolated data and can only be measured against previous results; the analysis does little more than prove that the organization is doing better, or worse, than in the previous period.